Merging main into release

Author: aws-sdk-kotlin-ci

.changes/256a9c00-f658-4ee8-9e02-2cf46b76a900.json

@@ -0,0 +1,8 @@
+{
+    "id": "256a9c00-f658-4ee8-9e02-2cf46b76a900",
+    "type": "bugfix",
+    "description": "Add `forcePathStyle` and `enableAccelerate` config properties back to the S3 client.",
+    "issues": [
+        "awslabs/aws-sdk-kotlin#1098"
+    ]
+}

.changes/cfedccd4-4819-4fb7-9570-9db62ef484a8.json

@@ -0,0 +1,5 @@
+{
+    "id": "cfedccd4-4819-4fb7-9570-9db62ef484a8",
+    "type": "misc",
+    "description": "Upgrade to the latest version of **smithy-kotlin**"
+}

.changes/dc1ee1a2-547e-4caa-8696-2affe5289d42.json

@@ -0,0 +1,5 @@
+{
+    "id": "dc1ee1a2-547e-4caa-8696-2affe5289d42",
+    "type": "feature",
+    "description": "Support EKS endpoints and auth token file in container credentials provider."
+}

.github/workflows/release-check.yml

@@ -0,0 +1,90 @@
+name: Update release branch
+
+on:
+  workflow_dispatch:
+    inputs:
+      commit_message:
+        description: |
+          The merge commit message to use for non fast-forward merges.
+        required: false
+        type: string
+      dry_run:
+        description: Dry runs will only attempt to merge but the result will not be pushed to the release branch
+        required: true
+        type: boolean
+        default: true
+
+concurrency:
+  group: release-manual-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  update-release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: 'main'
+          fetch-depth: 0
+          token: ${{ secrets.CI_USER_PAT }}
+      - name: Configure Git
+        shell: bash
+        run: |
+          git config user.name aws-sdk-kotlin-ci 
+          git config user.email "[email protected]"
+      - name: Configure JDK
+        uses: actions/setup-java@v3
+        with:
+          distribution: 'corretto'
+          java-version: 17
+          cache: 'gradle'
+      - name: Check merge base
+        shell: bash
+        run: |
+          git status
+          git branch -vv
+          git fetch
+          main_sha=$(git rev-parse main)
+          release_sha=$(git rev-parse origin/release)
+          echo "main_sha=$main_sha" >> $GITHUB_ENV
+          echo "release_sha=$release_sha" >> $GITHUB_ENV
+          if git merge-base --is-ancestor $main_sha $release_sha; then
+              echo "main@$main_sha already exists in origin/release, nothing to update";
+              echo "MERGE_NEEDED=false" >> $GITHUB_ENV;
+          else
+              echo "MERGE_NEEDED=true" >> $GITHUB_ENV
+          fi
+      - name: Release Check - snapshot versions
+        if: env.MERGE_NEEDED == 'true'
+        run: |
+          # We aren't releasable if we (1) directly depend on a snapshot version of a dependency OR (2) can't build the project without unreleased changes
+          if grep -q -i snapshot ./gradle/libs.versions.toml; then
+            echo "::error ::found snapshot version in libs.versions.toml"
+            exit 1
+          fi
+      - name: Release Check - build
+        if: env.MERGE_NEEDED == 'true'
+        run: |
+          # Our CI is implemented as a "live at HEAD" model where we build against the latest of all our 1P deps (either
+          # main branch or matching branch name). Double check that without this "live at HEAD" mode we still build 
+          # successfully (which is how it is built during release).
+          # This should help prevent the cases where we forgot to bump smithy-kotlin versions and don't catch it
+          # because CI is masking it
+          ./gradlew -Paws.kotlin.native=false test jvmTest
+      - name: Merge
+        if: env.MERGE_NEEDED == 'true'
+        shell: bash
+        run: |
+          echo "merging main @ $main_sha into release @ $release_sha";
+          git switch release;
+          input_message=${{ inputs.commit_message }}
+          message=${input_message:-"Merging main into release"}
+          echo "message=$message"
+          git merge -m "$message" main;
+          if [ "${{ inputs.dry_run }}" == "true" ]; then
+            echo "dry run, skipping push to remote";
+            git log -n 10 --oneline;
+          else
+            echo "pushing changes to release branch";
+            git push origin release;
+          fi

.github/workflows/update-release-branch.yml

@@ -55,10 +55,10 @@ public final class aws/sdk/kotlin/runtime/auth/credentials/DefaultChainCredentia
 
 public final class aws/sdk/kotlin/runtime/auth/credentials/EcsCredentialsProvider : aws/smithy/kotlin/runtime/auth/awscredentials/CloseableCredentialsProvider {
 	public fun <init> ()V
-	public fun <init> (Laws/smithy/kotlin/runtime/util/PlatformEnvironProvider;Laws/smithy/kotlin/runtime/http/engine/HttpClientEngine;)V
-	public synthetic fun <init> (Laws/smithy/kotlin/runtime/util/PlatformEnvironProvider;Laws/smithy/kotlin/runtime/http/engine/HttpClientEngine;ILkotlin/jvm/internal/DefaultConstructorMarker;)V
+	public fun <init> (Laws/smithy/kotlin/runtime/util/PlatformProvider;Laws/smithy/kotlin/runtime/http/engine/HttpClientEngine;)V
+	public synthetic fun <init> (Laws/smithy/kotlin/runtime/util/PlatformProvider;Laws/smithy/kotlin/runtime/http/engine/HttpClientEngine;ILkotlin/jvm/internal/DefaultConstructorMarker;)V
 	public fun close ()V
-	public final fun getPlatformProvider ()Laws/smithy/kotlin/runtime/util/PlatformEnvironProvider;
+	public final fun getPlatformProvider ()Laws/smithy/kotlin/runtime/util/PlatformProvider;
 	public fun resolve (Laws/smithy/kotlin/runtime/util/Attributes;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
 }
 

aws-runtime/aws-config/api/aws-config.api

@@ -23,8 +23,7 @@ import aws.smithy.kotlin.runtime.http.request.HttpRequestBuilder
 import aws.smithy.kotlin.runtime.http.request.header
 import aws.smithy.kotlin.runtime.http.response.HttpResponse
 import aws.smithy.kotlin.runtime.io.closeIfCloseable
-import aws.smithy.kotlin.runtime.net.Scheme
-import aws.smithy.kotlin.runtime.net.Url
+import aws.smithy.kotlin.runtime.net.*
 import aws.smithy.kotlin.runtime.operation.ExecutionContext
 import aws.smithy.kotlin.runtime.retries.policy.RetryDirective
 import aws.smithy.kotlin.runtime.retries.policy.RetryErrorType
@@ -33,7 +32,6 @@ import aws.smithy.kotlin.runtime.serde.json.JsonDeserializer
 import aws.smithy.kotlin.runtime.telemetry.logging.logger
 import aws.smithy.kotlin.runtime.time.TimestampFormat
 import aws.smithy.kotlin.runtime.util.Attributes
-import aws.smithy.kotlin.runtime.util.PlatformEnvironProvider
 import aws.smithy.kotlin.runtime.util.PlatformProvider
 import kotlin.coroutines.coroutineContext
 
@@ -61,7 +59,7 @@ private const val PROVIDER_NAME = "EcsContainer"
  *
  */
 public class EcsCredentialsProvider(
-    public val platformProvider: PlatformEnvironProvider = PlatformProvider.System,
+    public val platformProvider: PlatformProvider = PlatformProvider.System,
     httpClient: HttpClientEngine? = null,
 ) : CloseableCredentialsProvider {
 
@@ -70,7 +68,7 @@ public class EcsCredentialsProvider(
 
     override suspend fun resolve(attributes: Attributes): Credentials {
         val logger = coroutineContext.logger<EcsCredentialsProvider>()
-        val authToken = AwsSdkSetting.AwsContainerAuthorizationToken.resolve(platformProvider)
+        val authToken = loadAuthToken()
         val relativeUri = AwsSdkSetting.AwsContainerCredentialsRelativeUri.resolve(platformProvider)
         val fullUri = AwsSdkSetting.AwsContainerCredentialsFullUri.resolve(platformProvider)
 
@@ -107,6 +105,22 @@ public class EcsCredentialsProvider(
         return creds
     }
 
+    private suspend fun loadAuthToken(): String? {
+        val token = AwsSdkSetting.AwsContainerAuthorizationTokenFile.resolve(platformProvider)?.let { loadAuthTokenFromFile(it) }
+            ?: AwsSdkSetting.AwsContainerAuthorizationToken.resolve(platformProvider)
+            ?: return null
+
+        if (token.contains("\r\n")) {
+            throw CredentialsProviderException("Token contains illegal line break sequence.")
+        }
+
+        return token
+    }
+
+    private suspend fun loadAuthTokenFromFile(path: String): String =
+        platformProvider.readFileOrNull(path)?.decodeToString()
+            ?: throw CredentialsProviderException("Could not read token file.")
+
     /**
      * Validate that the [relativeUri] can be combined with the static ECS endpoint to form a valid URL
      */
@@ -127,7 +141,6 @@ public class EcsCredentialsProvider(
      * @return the validated URL
      */
     private suspend fun validateFullUri(uri: String): Url {
-        // full URI requires verification either https OR that the host resolves to loopback device
         val url = try {
             Url.parse(uri)
         } catch (ex: Exception) {
@@ -136,16 +149,22 @@ public class EcsCredentialsProvider(
 
         if (url.scheme == Scheme.HTTPS) return url
 
-        // TODO - validate loopback via DNS resolution instead of fixed set. Custom host names (including localhost) that
-        //  resolve to loopback won't work until then. ALL resolved addresses MUST resolve to the loopback device
-        val allowedHosts = setOf("127.0.0.1", "::1")
+        when (url.host) {
+            is Host.IpAddress -> {
+                if (allowedAddrs.contains((url.host as Host.IpAddress).address)) {
+                    return url
+                }
 
-        if (url.host.toString() !in allowedHosts) {
-            throw ProviderConfigurationException(
-                "The container credentials full URI ($uri) has an invalid host. Host can only be one of [${allowedHosts.joinToString()}].",
+                throw ProviderConfigurationException(
+                    "The container credentials full URI ($uri) has an invalid host. Host can only be one of [${allowedAddrs.joinToString()}].",
+                )
+            }
+
+            // TODO - resolve hostnames
+            is Host.Domain -> throw ProviderConfigurationException(
+                "The container credentials full URI ($uri) is specified via hostname which is not currently supported.",
             )
         }
-        return url
     }
 
     override fun close() {
@@ -228,3 +247,11 @@ internal class EcsCredentialsRetryPolicy : RetryPolicy<Any?> {
         else -> RetryDirective.TerminateAndFail
     }
 }
+
+private val ecsV4Addr = IpV4Addr(169u, 254u, 170u, 2u)
+
+private val eksV4Addr = IpV4Addr(169u, 254u, 170u, 23u)
+
+private val eksV6Addr = IpV6Addr(0xfd00u, 0xec2u, 0u, 0u, 0u, 0u, 0u, 0x23u)
+
+private val allowedAddrs = setOf(IpV4Addr.LOCALHOST, IpV6Addr.LOCALHOST, ecsV4Addr, eksV4Addr, eksV6Addr)

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/EcsCredentialsProvider.kt

@@ -139,6 +139,12 @@ public object AwsSdkSetting {
     public val AwsContainerAuthorizationToken: EnvironmentSetting<String> =
         strEnvSetting("aws.containerAuthorizationToken", "AWS_CONTAINER_AUTHORIZATION_TOKEN")
 
+    /**
+     * A path to a file which contains an authorization token to pass to a container metadata service.
+     */
+    public val AwsContainerAuthorizationTokenFile: EnvironmentSetting<String> =
+        strEnvSetting("aws.containerAuthorizationTokenFile", "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE")
+
     /**
      * The maximum number of request attempts to perform. This is one more than the number of retries, so
      * aws.maxAttempts = 1 will have 0 retries.